EM12c: How to Retrieve Passwords from the Named Credentials

In my previous post, I have showed how to list all named credentials in Enterprise Manager Cloud Control. As you see, it was not possible using regular user interface, so we connected to the repository database to get the information. Now let’s keep digging and see if we can retrieve “encrypted information” saved in named credentials.

The username, password and role information of named credentials are stored in em_nc_cred_columns table. When we examine it, we can see that there’s one-to-many relation with em_nc_creds using target_guid column, and the sensitive information are stored in cred_attr_value column. That column is encrypted using em_crypto package. The encryption algrotim uses a secret key which is stored in “Admin Credentials Wallet” and a salt (random data for additional security). The wallet file is located in $MIDDLEWARE_HOME/gc_inst/em/EMGC_OMS1/sysman/config/adminCredsWallet/cwallet.sso) and the salt data can be found in cred_salt column of the em_nc_cred_columns table. Here’s what it looks like:


To decrypt the information, we need to call the decrypt in em_crypto package, but if we call it without opening the wallet, we get the following error:

How can we read the secret key from that wallet? Easiest way is, make Enterprise Manager open the wallet and store the secret key in the repository database. So we issue the following command:

It asks for SYSMAN password. If you enter the correct password, it reads the wallet file and store the secret key into the repository database. Of course it makes your system unsecure. If you issue the command “emctl config emkey -remove_from_repos”, you can remove the key from repository.

Ok, if you issued the above command and stored the secret key into the repository, you can use the following query to fetch the decrypted information:

Sample output:


Please share

AWS Big Data Specialist. Oracle Certified Professional (OCP) for EBS R12, Oracle 10g and 11g. Co-author of "Expert Oracle Enterprise Manager 12c" book published by Apress. Awarded as Oracle ACE (in 2011) and Oracle ACE Director (in 2016) for the continuous contributions to the Oracle users community. Founding member, and vice president of Turkish Oracle User Group (TROUG). Presented at various international conferences including Oracle Open World.


  1. Pingback: Log Buffer #409, A Carnival of the Vanities for DBAs | InsideMySQL

  2. Roy Niemann

    Stupid but serious question: Why would you want to be able to decrypt passwords. That in an of itself is insecure even if you’ve wrapped it properly. I’m just curious.

    • Gokhan Atil

      Roy, I personally do not want (and never needed) to decrypt others’ passwords but this article shows that it’s possible to decrypt passwords although they are secured by the application layer of EM12c.

  3. Pingback: list database monitoring users | Laurent Schneider

  4. Yakiv

    Hi Gokhan, very nice one.
    Real life use case – needed to extract SSH private key from OMS repository to test it from command line. Since it is also encrypted in similar way and DBA who created it was unreachable I had to decrypt it using your approach.
    Thanks a lot,

    • Gokhan Atil

      Hi Yakiv,

      I’m glad to hear that it helped you, and thanks for sharing your real life use case.

  5. Yas V

    Another real world example, we had a contractor install OEM and set this up but he didn’t leave the passwords behind for the various services. This made it easy to get a list so we can save and then secure back up. Thanks for posting this.

  6. Tom

    Thanks. Like a lot of people I had to retrieve some passwords not left by a former college so this came in handy. I did need to modify ‘%user%’ in line 6 to ‘%username%’ top avoid catching the “userpassword” attribute as well.

Leave Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.